Code auditing evaluation criteria and processes for assessing code quality and correctness


Key takeaways

A code audit is a structured technical review of an existing codebase against seven dimensions: formatting, best practices, maintainability, architecture, documentation, security, and performance.

You should commission one before signing an acquisition LOI, before raising a Series A on inherited code, when bug rate is rising, when the original team is leaving, or when an AI-generated codebase needs a senior’s eyes.

A good audit blends static analysis (SonarQube, Semgrep, CodeQL, Snyk, Trivy) with senior human review — tools find ~60% of issues, humans catch the architectural ones machines never will.

Typical Fora Soft pricing is $2k–$8k for an MVP-scale audit, $8k–$25k for a typical SaaS, and $25k–$60k for a multi-service enterprise platform — faster than traditional audits thanks to Agent Engineering.

The deliverable is a written report with severity-ranked findings, reproducible examples, prioritised remediation plan, and a one-page executive summary an investor or buyer can read in five minutes.

Why Fora Soft wrote this playbook

Fora Soft has been auditing other people’s code since 2005 — for acquirers running due diligence, for founders inheriting messy codebases, for VCs assessing technical risk before a Series A, and for our own clients before we take over a project. We’ve looked at AI-generated codebases, decade-old PHP monoliths, modern Swift 6 apps, ROS robotics stacks, and a lot of Lovable / no-code-AI prototypes.

This article is the same checklist we use internally, plus the questions we get asked most often by buyers and CTOs. Where we cite a price band below it’s the realistic Fora Soft band — we use Agent Engineering to compress audit timelines without skipping the senior review that finds the expensive bugs.


Need an independent code audit before you sign?

We deliver written reports in 1–3 weeks with severity-ranked findings, reproducible cases, and a prioritised remediation plan your engineers (or ours) can execute against. Get a free code audit.

The one-paragraph definition

A code audit is a structured, time-boxed review of a codebase, run by an independent senior team, that produces a written verdict on quality, security, performance, and maintainability — with severity-ranked findings, reproducible examples, and a prioritised remediation plan. It’s a snapshot, not a refactor; it should answer “is this safe to ship / buy / scale?” in five minutes for a non-technical reader and in fifty pages for an engineering team.

When you should commission a code audit

There are seven situations where the ROI on an audit is almost always positive.

The seven dimensions we score on

Below is the same scorecard we hand to our auditors. Every audit produces a 1–5 score per dimension, with evidence.




Dimension
What we look for
Tools we use


Code formattingStyle consistency, naming, dead code, file layoutPrettier, Black, ESLint, SwiftLint
Best practicesIdiomatic patterns, framework usage, anti-patternsSonarQube, Semgrep, language linters
MaintainabilityCyclomatic complexity, duplication, test coverage, module boundariesSonarQube, jscpd, Codecov
ArchitectureCoupling, data flow, scalability, anti-patternsManual senior review, dependency graphs
DocumentationREADME, API docs, ADRs, run-books, onboardingManual review
SecurityOWASP Top 10, dependency CVEs, secrets, IAM, cryptoCodeQL, Snyk, Trivy, gitleaks, Burp Suite
PerformanceHot paths, query plans, allocations, P95 latencyProfilers, load tests, k6, py-spy, MetricKit



How we run an audit — the eight-step process

1. Scoping (1–2 days). What languages, what services, what risk areas matter most, what does “done” look like, who reads the report. Output: a written statement of work with a fixed price.

2. Repository onboarding (0.5 day). Clone, build, run tests, snapshot CI, freeze a commit hash so findings are reproducible.

3. Static analysis sweep (1–3 days). SonarQube + Semgrep + CodeQL + Snyk + Trivy + gitleaks. Every finding gets triaged before going into the report.

4. Senior architectural review (3–7 days). A senior engineer reads the code by feature path, draws data-flow diagrams, validates the boundaries the static tools can’t see.

5. Security deep-dive (1–3 days). Threat-model walkthrough, manual review of authn/authz/crypto/IAM, dependency CVEs, secrets in history.

6. Performance check (1–2 days). Profiling on representative traffic, query-plan review, identify the top three latency / cost hotspots.

7. Report writing (2–3 days). Findings, severity, reproduction, recommended fix, executive summary, scorecard.

8. Walk-through call (1 hour). We present the report, walk through the highest-severity items, and answer questions live. The recording becomes part of the deliverable.

The 2026 tooling stack we ship with

No single tool covers everything. The blend below catches roughly 60% of issues automatically — the remaining 40% is senior judgement.

Severity model and how we triage findings




Severity
Definition
Example
SLA


BlockerDeal-stopping or imminent breachPlaintext secrets in git, broken authFix this week
CriticalHigh likelihood, high impactSQLi, IDOR, missing rate limitFix in sprint
MajorSignificant debt or riskNo tests on payment flow, leaky loggingFix this quarter
MinorQuality improvementInconsistent naming, dead codeBacklog grooming
InfoStylistic / future-proofingSuggested refactor, library upgradeOptional



Internal vs external audit — when to do which




Dimension
Internal review
External audit (us / peers)


IndependenceLimited — same biasesHigh — outside eyes
CostEngineering time onlyFixed price ($2k–$60k)
Stakeholder weightEngineering onlyInvestors, buyers, board
CadenceQuarterly / per releaseAnnually + on milestone
Best forContinuous quality, hardeningDiligence, M&A, post-incident





a third party (investor, buyer, regulator, board) needs to read the verdict — or when the codebase is unfamiliar enough to your own team that they can’t see the icebergs.

A worked cost example: three audit sizes

Approximate Fora Soft pricing in 2026, with Agent Engineering shaving roughly 30% off comparable traditional audits. We won’t commit to a fixed price without scoping; the bands below are realistic.




Audit size
Codebase
Duration
Indicative range


MVP / single service~30k LOC, 1 service1–1.5 weeks$2k–$8k
Mid-size SaaS~150k LOC, 3–6 services2–3 weeks$8k–$25k
Enterprise platform500k+ LOC, 10+ services4–6 weeks$25k–$60k




Want a fixed-price audit by next month?

Send us your repo size, language mix, and the question you need answered — we’ll quote in 48 hours and start within a week.

What the deliverable actually looks like

A Fora Soft audit deliverable contains six artefacts. We hand them all over — not just a PDF.

Auditing AI- and Lovable-generated codebases

Vibe-coded prototypes — built in Lovable, Bolt, v0, Cursor or Cline — have a recognisable shape: clean-looking React components, hidden API keys, fragile error handling, missing tests, and an AuthN/AuthZ layer that looks superficially correct but breaks under five-minute review. We see them weekly. Our audit checklist for these codebases focuses on:

For more on the “Lovable bug economy” we see daily, read our Lovable app bugs and fix-cost guide.

Mini case: a $4M deal saved (or killed) by a two-week audit

Situation. A US strategic acquirer was ready to sign a $4M LOI for a Series-A SaaS company. The target had a small Eastern-European engineering team and three years of code. The acquirer wanted an independent verdict before committing.

12-day plan. Day 1–2: scoping and repo onboarding. Day 3–5: SAST + SCA + secrets sweep. Day 6–9: senior architectural review across the four core services. Day 10–11: report writing. Day 12: walk-through call.

Outcome. Three blocker findings (plaintext production keys in git, broken multi-tenant isolation in the analytics service, no backup-restore plan), seven critical (incl. SQLi exposures and a vulnerable JWT validator), 22 majors. The acquirer reduced offer by 18% to fund remediation, included a representations-and-warranties clause for the blockers, and closed two weeks later. The audit fee paid for itself ~80×.

Want a similar assessment?

A decision framework — pick the right scope in five questions

Q1. Who reads the report? A CEO → lead with executive summary. A board → add scorecard with peer comparison. An auditor → map findings to compliance controls.

Q2. What is the trigger? M&A → broad coverage, security and IP heavy. Series A → architecture and scalability heavy. Post-incident → root-cause + remediation focus.

Q3. How big is the codebase? Under 30k LOC → one auditor, 1.5 weeks. 30–200k → two auditors, 3 weeks. 200k+ → auditing pod, 4–6 weeks.

Q4. Do you need a pen-test too? If you’re selling to enterprise or moving to SOC 2, yes — bundle it. Otherwise the audit gets you 70% of the way at half the cost.

Q5. Can the result kill the deal? Be honest with your sponsor on day one. Auditors who optimise for “passing” reports lose their value within a year.

Five pitfalls we see every quarter

1. Tools-only audits. A SonarQube dump is not an audit. Without senior judgement you miss the architectural icebergs.

2. No reproducible findings. Every finding must compile down to a file, line, evidence, and a fix path. “Generally insecure” is useless.

3. Auditing the team, not the code. Reviewers should never inherit the team’s narrative. They walk into the code cold.

4. Skipping the executive summary. The CEO will skim. If page one doesn’t land, the report dies.

5. Treating it as a one-off. Codebases drift. Audits should repeat — full annually, lite quarterly — with remediation tracked across cycles.

KPIs that follow up on an audit

1. Closure KPIs. Blocker / critical fixed within sprint, percentage of major findings closed within quarter, mean time-to-close per severity.

2. Quality KPIs. SonarQube quality-gate trend, dependency CVE count, test coverage, P95 latency.

3. Process KPIs. Code review cycle time, PR size distribution, deploy frequency, change-failure rate. The DORA metrics catch the regression of audited improvements.

When you should NOT commission a code audit

Three scenarios where the spend isn’t justified. First, a working prototype with under 5k LOC where the team is iterating weekly — the codebase will look completely different in a quarter. Second, a stable product with a strong internal review culture and a recent SOC 2 report — you already have the evidence. Third, when leadership won’t fund any remediation — the audit will only become a list of grievances.

Where audits go next — agent-assisted reviews

Two trends are reshaping the practice. Continuous audits — pipelines that run a senior-grade review on every PR using LLM-driven agents under a senior’s supervision — are starting to replace point-in-time reviews. AI-on-AI scrutiny — reviewers spending more cycles on prompt-injection, model-supply-chain risk and unauthorized data exfiltration through embeddings or eval logs — is now standard for any product that ships LLM features. Both are part of how we work in 2026; see our AI in software development process guide for the broader picture.


Want a 30-minute pre-audit consultation?

Bring your codebase profile, your decision context, and your budget — we’ll come back with the right scope and a fixed-price quote.

FAQ

How long does a code audit take?

For an MVP-sized codebase 1–1.5 weeks; for a typical SaaS 2–3 weeks; for a large multi-service platform 4–6 weeks. Agent Engineering compresses these by ~30% vs traditional teams.

Do I need to give you full repo access?

Read-only access on a frozen branch is enough. We sign an NDA, work in an isolated environment, and return the artefacts — we don’t keep your code.

Is a code audit the same as a penetration test?

No. A code audit reviews source for quality, security, and architecture. A pen test attacks the running system from outside. They’re complementary; many clients commission both.

Can you audit AI-generated code from Cursor or Lovable?

Yes — we do this weekly. The patterns are predictable (client-side auth, missing server checks, dependency CVEs, zero tests) and our checklist is tuned for them.

Do you fix what you find?

We can — as a follow-on engagement — or hand the report to your team. To keep the audit independent, the original auditors don’t implement; a separate Fora Soft pod handles remediation if you want us to do both.

Will the report be shareable with investors / acquirers?

Yes — we structure deliverables for investor-grade sharing, with an executive summary, a clear scope statement, and an evidence appendix that holds up under data-room scrutiny.

How often should we audit?

A full audit annually for any production product; a lite review quarterly; on-demand for material milestones (M&A, funding rounds, regulatory deadlines, post-incident).

Can we run the static-analysis pieces ourselves?

Yes — SonarQube, Semgrep, Snyk and gitleaks are all open-source-friendly. The work that needs an external auditor is the senior architectural review and the investor-ready report.

Lovable App Bugs & Fix Cost

What we find when we audit Lovable / Bolt-coded MVPs.

AI Engineering

AI in the Software Development Process

A buyer’s guide to agent-assisted delivery in 2026.

QA

Inside Fora Soft’s QA Team

How we structure QA, ratios, and the playbook auditors meet.

Architecture

AI in Software Architecture Design

A 2026 buyer’s guide to agent-assisted system design.

Ready to commission an audit that holds up in a data room?

A code audit answers a yes/no question with evidence: is this codebase safe to ship, buy or scale? Use it before you sign, before you raise, before you migrate, and after you’ve been bitten. Pick the right scope to your audience, blend tools and human judgement, and demand a deliverable that an investor can read in five minutes and an engineer can execute against on day one.

If you want a partner who’s shipped audits across M&A diligence, Series A rounds, AI-generated codebases and post-incident reviews — talk to us. We’ll quote in 48 hours and start within a week.


Get an investor-ready audit fast

30 minutes, your codebase profile, an honest plan. Fixed price, written report, walk-through call included.

  • Services